Senators to push privacy, security legislation for IoT

Some Democratic senators want new laws that mandate security and privacy measures on the Internet of Things, as concern grows over personal data collected by connected devices.

Several democratic members of the Senate Commerce, Science and Transportation Committee said Wednesday they are exploring legislation that would enforce privacy and security standards for connected devices. Senator Edward Markey, a Massachusetts Democrat, plans to introduce a bill that will focus on security standards and the data collected by connected automobiles.

This week, Markey released a report saying that most auto manufacturers selling vehicles in the U.S. have "massive holes" in their data security. Only two of 16 car companies that responded to information requests from Markey's office said they have capabilities to respond to a hacking attack in real time, he said during a hearing.

New cars are now "computers on wheels," Markey said, and hacked vehicles can be dangerous.

"A small vulnerability or error in coding can lead to a catastrophic consequence for drivers, passengers and pedestrians," he said. "Thieves no longer need a crowbar to break into your car -- they just need a smartphone."

Markey's legislation will require that makers of wireless access points on connected cars use penetration testing technologies and that collected data is encrypted. The legislation will also require that the car manufacturer or a security vendor be able to detect and respond to hacking attempts in real time.

The bill will also require car makers to explain their data collection practices to drivers and allow them to opt out of data collection without having to disable navigation.

Car companies that can build software to track vehicle performance and other information "should have the same geniuses in those companies to build in protection for security and privacy," Markey said. "If you can figure out an algorithm that sends information around the world in the blink of an eye, you should be able to figure out an algorithm that provides consumers the security and privacy they need."

Representatives of auto makers didn't testify during the hearing. The Alliance of Automobile Manufacturers, a trade group, said it has not yet fully reviewed Markey's report, but its members take several steps to protect security and to tell customers about the data they collect.

"Automakers believe that strong consumer data privacy protections and strong vehicle security are essential to maintaining the continued trust of our customers," the group said in a statement.

Other Democrats in the hearing also suggested they are open to new legislation addressing the privacy and security of the IoT. The IoT industry is projecting huge growth by collecting customer data, and Congress needs to "find that balance" between the industry's data collection and customer privacy, said Senator Joe Manchin, a West Virginia Democrat.

More transparency about the kinds of data IoT devices are collecting is also needed, said Senator Richard Blumenthal, a Connecticut Democrat who plans to cosponsor Markey's connected cars bill. Congress should explore legislation that more easily allows consumers to file class-action lawsuits for data breaches, he said.

Congress should also consider legislation that requires companies to follow best practices in cybersecurity, said Justin Brookman, director of the Consumer Privacy Project at the Center for Democracy and Technology. While the U.S. Federal Trade Commission has brought dozens of data security complaints against companies, it is facing court challenges on its authority to do so, he noted.

Several speakers at the hearing brought up recent concerns about the ability of smart TVs to capture conversations via their voice command features. Brookman also mentioned the cases where hackers have taken over webcams and broadcast videos online.

Congress, while considering a national breach notification law, should expand the consumer data covered by notifications to include nonfinancial information held in online accounts, he said. "Internet of Things devices reveal really sensitive stuff about us," Brookman added.

While some committee Democrats said they will explore legislation, representatives of the IoT industry urged Congress to go slow. Consumer confidence in the IoT is important, "but we must not overregulate in a way that would stifle innovation," said Michael Abbott, a general partner in the venture capital firm Kleiner Perkins Caufield & Byers.

Most of the panel's majority Republicans, and a handful of Democrats, agreed. The IoT is in early stages of its growth, and Congress shouldn't rush in to regulate, they said.

"Let's treat the Internet of Things with the same light touch that has caused the Internet to be such a great American success story," said Senator John Thune, a South Dakota Republican and committee chairman. "We should let consumers and entrepreneurs decide where IoT goes, rather than setting it on a Washington, D.C., directed path."

Grant Gross covers technology and telecom policy in the U.S. government for The IDG News Service. Follow Grant on Twitter at GrantGross. Grant's email address is grant_gross@idg.com.

Slideshows

ARN Exchange: Channel discusses security spending priorities

Customers spending priorities, drawing up a security strategy for customers and partners, detailing how partners can increase profit through security and outlining key areas of market growth ahead were some of the topics discussed at the ARN Exchange event in Sydney. Partners got together to talk about the spending priorities of customers within the security market today and the skills required from partners to deliver those services. The event was in association with Juniper Networks, Webroot, Cloud Plus and Mimecast. Photos by Christine Wong.

What are the spending priorities of customers within the security market today and what are the skills required from partners to deliver those services? An overview of the security market in Australia was debated in the ARN Exchange event in Melbourne with discussions covering the customers spending priorities, drawing up a security strategy for customers and partners, detailing how partners can increase profit through security and outlining key areas of market growth ahead. The event was in association with Juniper Networks, Webroot, Cloud Plus and Mimecast. Photos by Raymond Korn.

The channel came together for the forth running of the ARN Emerging Leaders Forum in Australia, created to provide a program that identifies, educates and showcases the upcoming talent of the ICT industry.
Hosted as a half day forum, attendees heard from industry specialists as keynoters and panellists discussed leadership paths and career choices. Hall of Fame members and industry mentors​ hosted small groups of future leaders to mentor and advise.
This also marked ARN's inaugural 30 Under 30 Tech Awards, which recognised young talent in the Australian IT industry across technical, sales, marketing, management, human resources and entrepreneur categories.
Photos by Christine Wong.

Copyright 2019 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.